Bee Token, a San Francisco-based decentralized home sharing startup, has been hacked. The company’s initial coin offering (ICO) — which launched on Wednesday (January 31) — was derailed on Thursday (February 1), a mere 25 hours after the launch, as the attackers duped gullible investors and made off with nearly $1 million worth of Ethereum in an apparent phishing scam.

The attackers coordinated their phishing emails around the same time with the official launch of the Bee Token ICO. Using email addresses like presale_registration@thebeetoken.com, the scammers contacted potential buyers who then signed up for the full token sale. The scheme involved emailing the victims an ethereum address or a QR code which lead to the address, telling them to invest as fast as they possibly can to significantly increase their returns, according to Twitter user @Solid_Crypto_ who shared the email they received. In such a manner, the attackers collected at least $928,000 from potential investors.

How the scammers acquired investors’ emails is not immediately clear, but one Reddit user claims the startup failed to properly protect their email database. Last week, the company confirmed the existence of the scams on its official Twitter and Medium accounts, warning users that emails and Telegram messages directly encouraging users to send funds are likely fraudulent, and said that investors should only send funds to an address listed on the startup’s official website.

Bee Token has written: “We will NEVER communicate ANY funding address via any channel other than on beetoken.com. If you are solicited to send money to an address (even if it’s from a thebeetoken.com email address, official Bee Token social media accounts, or Bee Token telegram moderator/group), please report this to a moderator on Telegram (@DTodd) and email team@thebeetoken.com.”